If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Anti-virus software on database servers?

I have a friend who's a database administrator is looking for guidance. He wants to know what the best practices are running anti-virus software on a database server.

The situation he recently found himself into was the IT department installed McAfee on one of his Oracle database servers and he's concerned (feels) there's been a performance hit. Even worse the install had nothing excluded and was scanning all files, etc.

I know that there is some AV software that have database server agents...least I've heard they do. But other than the file system I'm just wondering what the threat is and/or point of installing AV to scan the transactions for example.

Anyone out there have some thoughts, tips, experience with this sort of thing?

Well, how about an exambple. Lotus Notes is built on the dominoe database and you should certainly have some type of AV on it.

I guess it depends on what the database is doing....

Sry bad inet connection

Norton has an interface for Oracle info store (or something) but it's the same premise...it's for mail.

I see a pattern forming

Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
- Samuel Johnson

There are two best-practice advices I can give you. They are,
as usual, not the only truth, and can be debated. Also, there
is a dependency on the specific system architecture, as korpdeath
is pointing out.

1. scan "on demand" rather than "scheduled".

ie. scan, as data is created, modified and read (updated signatures).

Implications: How does the data get to or is read from the database?
Is the database exposed or is the data processed already "somewhere"
else? I just want to point out that there is no need to scan the
data twice if the primary scan (and path to the database servers)
is trusted.

2. scan from a dedicated av-server (or av-server farm).

Personally I think, having the AV on the db-servers is a mediocre
approach. If the resources are available, dedicate one (or more)
server for scanning purposes. I found a paper illustrating what I
mean[1]: look for "scanning pod".

I can only speak of my experience using Oracle database servers, where the server was only connected to its clients, so they were the primary attack vector. Sure, there are software updates to the server, but these should go through a dedicated malware scanning box first (we used to call them "sheep-dips" )

Now, I am assuming that the AV on the clients is the same as on the server, so if anything does get through the client it will also get through the server, so duplicate scanning will achieve nothing and just waste resource. The client side is the key and you should have realtime scanning based on the traditional C.R.U.D matrix (create, read, update, delete).............OK you can forget the "delete"

Now, given that AV is mostly reactive you then have to plan for the database server getting infected before the pattern/signature files are updated. This is probably better done from a dedicated machine, and can be done when the server is not in use, so performance is no longer an issue. If an infection is detected in the clients, the connection should be pulled, the clients cleaned and the server cleaned.

There is no point in leaving uninfected clients attached to an infected server of course.

I think that your friend needs to plan how to use the software a bit more thoroughly, in that regular scans should be done when the clients are not using it.

Just my £0.02

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?

Re: Anti-virus software on database servers?

Originally posted here by ric-o I have a friend who's a database administrator is looking for guidance. He wants to know what the best practices are running anti-virus software on a database server.

The situation he recently found himself into was the IT department installed McAfee on one of his Oracle database servers and he's concerned (feels) there's been a performance hit. Even worse the install had nothing excluded and was scanning all files, etc.

I know that there is some AV software that have database server agents...least I've heard they do. But other than the file system I'm just wondering what the threat is and/or point of installing AV to scan the transactions for example.

Anyone out there have some thoughts, tips, experience with this sort of thing?

Use one -- it's another layer of defense against dumb admins browsing the web from the server (should never happen), or potentially catch something like Slammer down the line if the server ends up unpatched.

However, it should also be configured to be unobtrusive -- scanning executables is about it IMO. You should already be really picky about what gets onto a server, and you absolutely don't want it trying to scan backups, transaction logs, the databases themselves etc.

@tt!tud3 please check the original post, we are talking about an Oracle Database Server it should not be connected to the internet.

The attack vector is going to be from clients, possibly via an applications server.

People should not be uploading executables to it at all.

Anything that gets to it should already have been scanned, so realtime scanning on the database server is a waste of resource. Unless you are saying that the clients/application servers cannot be trusted ?

If that is the case then you have a problem elswhere that needs addressing. Database servers are not the place to do it, they are at the bottom of the food chain

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?

As Korpdeath and sec_ware pointed out, it all depends on your particular architecture and deployment.

However, I was particularly commenting on:

it's another layer of defense against dumb admins browsing the web from the server

That should not even be possible from a database server.

If, for whatever reason you really need to connect via the internet then at least use a secure VPN, stick a webserver or applications server inbetween, but don't leave it exposed. In my opinion, database servers should be in the background and out of the firing line. Hey, the more stuff you have to run on them on top of what their main functionality is the worse your performance is going to be?

"We are all lying in the gutter, but some of us are looking up at the stars"

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?

Additional info and response to posts...
* The db server is NOT directly on the Internet.
* The db server is on it's own DMZ.
* The web/app server (which is on the Internet) talking to it can only do so via specific db ports (via firewall rules of course).
* The db server is not used to surf with and is tightly controlled by IT organization and only specific IT machines have console access (and FTP probably) to it.

It sounds like the best advise is to install AV on it to protect it from any network-borne attacks...although those could only be possible from an IT admin's machine who is the only machine who has greater access (just RDP or VNC though). So the risk for network attack is pretty low.

I think the only risk would be possibility via db writes...but how? Is there really a risk here?